FreeStone Systems
· software
· SPF Policy Daemon
· Dive Tools
· Unborg/Borg
· Gimp
· ssl and certs
· cacert
· openssl
· publications
· bookmarks
· images
· photo gallery
· wallpapers
· panoramas
· services/tools
· ip lookup ip6.ch
· hash
· ntp server
· bookmark manager
· webmail
· search
barcode freestone.net
Modified: 2020-05-06 09:36:04 Copyright © 1996 - 2024 by
Matthias Cramer

openssl howto

This is a very simple openssl howto. I made this maynly because I'm mostly to lazy to remember how to make a key and a csr (certificate signing request). Here are the steps you have to enter at your commandline to get a key and csr file:

Create a password protected key: 

openssl genpkey -out domainname.key -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -pass pass:hello

Or a non password protected one 

openssl genpkey -out domainname.key -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Create the signing request. Enter the url or email address in the CN (Common Name) field 

openssl req -new -key domainname.key -out domainname.csr

Verify your input: 

openssl req -noout -text -in domainname.csr

Paste your CSR here:

Here is another example on how to make a self signed cert with one command: 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

When you get a certicate, you probably like to check what's in it: 

openssl x509 -text -in cert.pem

And for some applications you need the fingerprint of the certificate, here are two variants for md5 and sha1 fingerprints: 

openssl x509 -md5 -fingerprint -in cert.pem
openssl x509 -sha1 -fingerprint -in cert.pem

When you get a password protected cert and don't like to enter the passphrase each time a deamon gets started, you can unlock it with the following command: 

openssl rsa -in certin.pem -out certout.pem

If you have to check if a key and cert belogs together, you can start a openssl internal web server in the following way: 

openssl s_server -key www.key -cert www.crt -www

You can even connect to port 4433 with https to that server.

To test a remote cerificate, you can use the openssl internal client. 

openssl s_client -connect www.example.com:443 -showcerts -CApath /etc/ssl/certs/  # HTTPS
openssl s_client -connect www.example.com:465 -showcerts -CApath /etc/ssl/certs/  # SMTPS
openssl s_client -connect www.example.com:995 -showcerts -CApath /etc/ssl/certs/  # POP3S

openssl s_client -connect www.example.com:25 -starttls smtp -showcerts -CApath /etc/ssl/certs/  # STARTTLS over SMTP

Sometimes you have to deal with PKCS#12 certificate files, they can be converted from and to PEM format. First line converts pem to PKCS#12, second line does the opposite (PKCS#12 file have sometome the extension .pfx and sometimes .p12): 

openssl pkcs12 -export -out mycert.p12 -in mycert.pem -name "Certificate"
openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes